OpenStack Compute (Nova) before 2014.1.4, 2014.2.x before 2014.2.3, and kilo before kilo-3 does not validate the origin of websocket requests, which allows remote attackers to hijack the authentication of users for access to consoles via a crafted webpage.
The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Nova | Openstack | 2014.1 (including) | 2014.1.4 (excluding) |
| Nova | Openstack | 2014.2 (including) | 2014.2.3 (excluding) |
| Nova | Openstack | 2015.1.0-milestone1 (including) | 2015.1.0-milestone1 (including) |
| Nova | Openstack | 2015.1.0-milestone2 (including) | 2015.1.0-milestone2 (including) |
| Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6 | RedHat | openstack-nova-0:2014.1.4-3.el6ost | * |
| Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7 | RedHat | openstack-nova-0:2014.1.4-3.el7ost | * |
| Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7 | RedHat | openstack-nova-0:2014.2.2-19.el7ost | * |
| Nova | Ubuntu | upstream | * |